26 Sep Achieving HM Cyber Essentials through Self-Assessment – Part 2
If you missed part 1, you can read that here.
Part 2 – The Basics
The Cyber Essentials scheme was developed by government and industry to fulfil two specific functions: To make a clear statement regarding the basic controls that all organisations should implement so that they can mitigate the risk from common Internet-based threats, within the context of the Government’s 2016 guidance booklet, “10 Steps to Cyber Security”.
Additionally, the scheme offers a mechanism based on the Assurance Framework that offers a mechanism that organisations can use to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
Even though the Cyber Essentials scheme offers organisations a sound foundation of basic hygienic measures which they can implement and potentially build upon, the controls are not designed to remove all cyber security risks. In the case of more advanced, targeted attacks, an organisation would need to implement additional measures as part of their overall security strategy.
Cyber Essentials provides a focused set of security controls which are cost-effective and basic for organisations of all sizes to build upon if and when they believe it necessary to do so.
Cyber Essentials Basic Protection is relevant to all organisations regardless of their size. While larger organisations would be expected to already have some knowledge or experience of cyber security, smaller companies might have more limited capability and not be able to implement the full range of controls which would be required to achieve the most robust cyber protection.
The Government has determined these should be the basic categories to successfully prevent cyber attacks:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
In implementing these requirements, organisations should review each of these categories and apply the specified control. When Cyber Essentials are implemented, organisations should be able to successfully repel both phishing and hacking attacks.
To be successful, each of these approaches requires that direction should be set by executive management with effective planning and decision making spread across the entire organisation.
The Assurance Framework
The Cyber Essentials Assurance Framework leads to the awarding of both Cyber Essentials and Cyber Essentials Plus certificates. It is designed to be light-touch and low cost. With these options, organisations have a choice over their level of assurance based on what they wish to gain and the costs involved. Certification provides only a snapshot of the entire range of cyber security practices needed while maintaining robust cyber security measures.
The Assurance Framework allows organisations to execute a staged approach towards effective information risk management against common Internet based threats in addition to other broader risks they could face. Each of the two stages adds some level of confidence and organisations should make their own decision which level they choose based on their company’s risk appetite, customer expectations and cost.
Organisations can be authorised as Cyber Essentials accredited by complying with the applicable stage requirements set for by the Government’s national accreditation body. A Certification Body is defined as a company that is accredited to assess and certify organisations based on the Cyber Essentials requirements document.
Certification can apply to all or part of the organisation’s play to combat cyber terrorism. However, the parts applicable must be clearly defined by the organisation by describing the network boundary and physical location. Also, the name on the certificate must be consistent with the scope of the document. Cyber Essentials is not intended to be used with manufacturing, industrial control systems, online retail or other types of environments. It is intended specifically for IT services and other types of systems will have different constraints, attack vectors and vulnerabilities.
Organisations can decide whether or not to include cloud services or some other externally provided IT services within the scope of their certification. The certificate will state whether externally provided IT services have been used and if they are within the scope of the certification. If an organisation intends to include externally provided IT services, then the following rules shall apply:
- For Cyber Essentials, the organisation must attest that its system delivers a service that meets the Cyber Essentials requirements intended. Any existing evidence (PCI cloud certification) can be considered as a part this process.
- For Cyber Essentials Plus, the organisation must ensure that its system delivers a service that has been appropriately tested as having met the Cyber Essentials requirements that the service provider is responsible for.
BYOD (Bring Your Own Device)
Some controls which are identified in the requirements document will need to be implemented on user devices within the organisation. Usually this has been done by centralised administration, which ensures consistency across the entire organisation. Certification of security controls in these environments is a straightforward process with usually a standard build or reference which can be assessed.
Consistency can be achieved by using a BYOD regime, but when users have more freedom in which they can customise their experience, there becomes a risk that certification and the implementation of proper controls will be more challenging, and possibly more costly as well.
Off-The-Shelf products available commercially that support web applications (including open registration) are, by default, within the scope of these devices.
Cyber Essentials certification essentially provides only a snapshot of the amount of cyber security practices an organisation has in place at the time of assessment. In order to maintain a robust cyber security stance will require additional measures including on-going updates and a generally sound risk management approach.